Cookies Management

Cookies are a very useful way to store small pieces of data on the client’s machine that can be retrieved even if the user closes his/her browser. Phalcon\Http\Response\Cookies acts as a global bag for cookies. Cookies are stored in this bag during the request execution and are sent automatically at the end of the request.

Basic Usage

You can set/get cookies by just accessing the cookies service in any part of the application where services can beaccessed:

  1. <?php
  3. use Phalcon\Mvc\Controller;
  5. class SessionController extends Controller
  6. {
  7.     public function loginAction()
  8.     {
  9.         // Check if the cookie has previously set
  10.         if ($this->cookies->has('remember-me')) {
  11.             // Get the cookie
  12.             $rememberMeCookie = $this->cookies->get('remember-me');
  14.             // Get the cookie's value
  15.             $value = $rememberMeCookie->getValue();
  16.         }
  17.     }
  19.     public function startAction()
  20.     {
  21.         $this->cookies->set(
  22.             'remember-me',
  23.             'some value',
  24.             time() + 15 * 86400
  25.         );
  26.         $this->cookies->send();
  27.     }
  29.     public function logoutAction()
  30.     {
  31.         $rememberMeCookie = $this->cookies->get('remember-me');
  33.         // Delete the cookie
  34.         $rememberMeCookie->delete();
  35.     }
  36. }

Encryption/Decryption of Cookies

By default, cookies are automatically encrypted before being sent to the client and are decrypted when retrieved from the user. This protection prevents unauthorized users to see the cookies’ contents in the client (browser). Despite this protection, sensitive data should not be stored in cookies.

You can disable encryption as follows:

  1. <?php
  3. use Phalcon\Http\Response\Cookies;
  5. $di->set(
  6.     'cookies',
  7.     function () {
  8.         $cookies = new Cookies();
  10.         $cookies->useEncryption(false);
  12.         return $cookies;
  13.     }
  14. );

If you wish to use encryption, a global key must be set in the crypt service:

  1.     <?php
  3.     use Phalcon\Crypt;
  5.     $di->set(
  6.         'crypt',
  7.         function () {
  8.             $crypt = new Crypt();
  10.             /**
  11.              * Set the cipher algorithm.
  12.              *
  13.              * The `aes-256-gcm' is the preferable cipher, but it is not usable until the
  14.              * openssl library is upgraded, which is available in PHP 7.1.
  15.              *
  16.              * The `aes-256-ctr' is arguably the best choice for cipher
  17.              * algorithm in these days.
  18.              */
  19.             $crypt->setCipher('aes-256-ctr');
  21.             /**
  22.              * Setting the encryption key.
  23.              *
  24.              * The key should have been previously generated in a cryptographically safe way.
  25.              *
  26.              * Bad key:
  27.              * "le password"
  28.              *
  29.              * Better (but still unsafe):
  30.              * "#1dj8$=dp?.ak//j1V$~%*0X"
  31.              *
  32.              * Good key:
  33.              * "T4\xb1\x8d\xa9\x98\x054t7w!z%C*F-Jk\x98\x05\x5c"
  34.              *
  35.              * Use your own key. Do not copy and paste this example key.
  36.              */
  37.             $key = "T4\xb1\x8d\xa9\x98\x054t7w!z%C*F-Jk\x98\x05\x5c";
  39.             $crypt->setKey($key);
  41.             return $crypt;
  42.         }
  43.     );

Sending cookies data without encryption to clients including complex objects structures, resultsets, service information, etc. could expose internal application details that could be used by an attacker to attack the application. If you do not want to use encryption, we highly recommend you only send very basic cookie data like numbers or small string literals.